Missing User Warnings
Medium
- Confidence
- 92% confidence
- Finding
- The documentation instructs users to place an OAuth client ID and client secret into a local config.json file, but provides no explicit guidance on secure storage, file permissions, avoiding source control, or secret leakage. While this is a personal desktop OAuth client and not a server credential, the client secret is still sensitive and careless handling can expose the OAuth app configuration or enable misuse if the file is copied, backed up insecurely, or committed to a repository.
